How to install a virtual honeypot in a private environment

The goal of this document is to explain how to install a Virtual honeynet with only one single computer and one public IP address. All of this, in a private environment. To do this, we will use Honeywall for data capture functionality and VMWare for virtualization.

A very short introduction

Honeynet allows you to capture and analyze suspect activities, like Worms propagation or hackers.
For more information of what is a Honeypot refer to "Know Your Enemy" papers of the honeynet project.

Overview

I have an ADSL connection, with only one public IP address. My ISP gave me a magic box, That's a sort of modem which allows me to connect to the Internet. This box has one Ethernet (RJ45) connector and one PCMCIA Wireless card (Wifi) with routing capabilities. This device can be replaced by a Gnu/Linux gateway.

I have two PC, one for the virtual honeypot and another one for my daily tasks. Here is the diagram of my configuration :

We are going to install two virtual OS on the VMware box:

System 1, is the Honeywall gateway, acting like a bridge

System 2, is the Honeypot itself

The network diagram looks like this one:
The ISP modem must NAT all incoming packets (destination: public IP address) to the private honeypot address (192.168.128.3). Do NOT do this now ! The NAT must be done after all the installations, configurations ant tests !

Finally, here is the VMware view of the network diagram.:
The Honeywall is connected to the Vmnet0 interface which is bridged to the eth0 device. It is also connected to the Vmnet1 interface like the honeypot. This configuration allows us to have a complete independent network between the two virtual OS (access are not possible from the outside). Vmnet2, like Vmnet1, is a host only interface and it is used for the Honeywall administration.

In our configuration, the honeypot must be connected with an Ethernet link and it is not possible to use Wifi. In fact, Wireless LAN cards do not work in a WMware bridged setup. The reason is the following : a wireless adapter cannot send packets that have a different MAC address than its own. With bridged networking, VMware software creates packets from the guest operating system using the guest's MAC address, which is different from the MAC address of the actual network adapter. Thus a wireless adapter will not send
those packets.

VMware Box install

1. Gnu/Linux install

First of all, install you preferred distribution. On this article, an Ubuntu has been chosen (Ubuntu 6.06 Server i386). Once installed, proceed with the basic configuration.

Network Configuration

My ISP Box acts as a DHCP server. I have a web interface which allows me to assign static IP addresses. In this way, the DHCP server assigns the same IP based on the MAC address of the host. If you are using a Linux gateway configure your DHCP to have this behaviour.

Configuration is done by executing the command 'vmware-config.pl'. Here is the network part :

Do you want networking for your virtual machines? (yes/no/help) [yes]
Configuring a bridged network for vmnet0.
The following bridged networks have been defined:
. vmnet0 is bridged to eth0
All your ethernet interfaces are already bridged.
Do you want to be able to use NAT networking in your virtual machines? (yes/no) [yes]
Configuring a NAT network for vmnet8.
Do you want this program to probe for an unused private subnet? (yes/no/help) [yes]
Probing for an unused private subnet (this can take some time)...
The subnet 172.16.100.0/255.255.255.0 appears to be unused.
The following NAT networks have been defined:
. vmnet8 is a NAT network on private subnet 172.16.100.0.
Do you wish to configure another NAT network? (yes/no) [no]
Do you want to be able to use host-only networking in your virtual machines? [yes]
Configuring a host-only network for vmnet1.
Do you want this program to probe for an unused private subnet? (yes/no/help) [yes]
Probing for an unused private subnet (this can take some time)...
The subnet 192.168.54.0/255.255.255.0 appears to be unused.
The following host-only networks have been defined:
. vmnet1 is a host-only network on private subnet 192.168.54.0.
Do you wish to configure another host-only network? (yes/no) [no] yes
Configuring a host-only network for vmnet2.
Do you want this program to probe for an unused private subnet? (yes/no/help) [yes]
Probing for an unused private subnet (this can take some time)...
The subnet 192.168.249.0/255.255.255.0 appears to be unused.
The following host-only networks have been defined:
. vmnet1 is a host-only network on private subnet 192.168.54.0.
. vmnet2 is a host-only network on private subnet 192.168.249.0.
Do you wish to configure another host-only network? (yes/no) [no]
[...]
Starting VMware services:
Virtual machine monitor done
Virtual ethernet done
Bridged networking on /dev/vmnet0 done
Host-only networking on /dev/vmnet1 (background) done
Host-only networking on /dev/vmnet2 (background) done
Host-only networking on /dev/vmnet8 (background) done
NAT service on /dev/vmnet8 done

Run ifconfig. You should see at least five network interfaces :

lo (loopback interface)

eth0 (real Ethernet interface)

vmnet1 (host-only network)

vmnet2 (host-only network)

vmnet8 (NAT network, not used)

vmnet0 (bridge network) does not appear. If the VMnet interfaces do not show up immediately, wait for a minute, then run the command again. These interfaces should have different IP addresses on separate subnets.

3. VMware Configuration

The honeywall needs to be in promiscuous mode on the two network virtual interfaces. Gnu/Linux does not allow the VMware virtual Ethernet adapter to go into promiscuous mode for a standard user. Running VMware as root is not a good thing for the Honeypot security, that's why we have to modify the starting script. To grant standard users read and write access to the VMnet0 and VMnet1 devices just enter the following commands:

To have this automatically done after the boot process, edit VMware starting script (/etc/init.d/vmware). At the end of the start section add these previous lines.

4.1 VMware guest OS #1 - Honeywall

Now, launch VMware with the vmware command, and configure a New Virtual Machine. Choose Custom virtual machine configuration, New Workstation 5 format, Linux Guest OS (Linux 2.6). One processor, 192 MB of RAM. Network connection bridged and LSI adapter. Create new virtual disk (8Go).
Once created, edit the virtual machine settings, and add two more network adapters to have the following configuration:

Ethernet1 - Bridged : directly connected to the physical interface eth0, allows Honeywall to be in promiscuous mode and acting as a bridge.

Ethernet2 - Host-only : will be connected to the honeypot.

Ethernet3 - Custom, using /dev/vmnet2 : it's also a Host-only device, so we will have two independent host-only networks. This one is for administration purpose (to connect to the Honeywall shell and Web interface).

Get the Honeywall ISO here. Once it downloaded, mount it on vmware virtual cdrom. Proceed with roo install. When done, login with user roo and default password honey. You can have root access by doing a

$ su -

The root password is the same as the roo user. Type halt to stop the machine.

We need to have static MAC addresses for ethernet0 and ethernet1 cards. To do this, edit the vmx file:

vi ~/vmware/Honeywall/Honeywall.vmx

Replace addressType = "generated" with addressType = "static". Comment generatedAddress and generatedAddressOffset. Add an address directive. You should have something like that :

Now we can restart the virtual OS, and configure it. Log with user roo and become root. An automatic configuration will begin. Choose Honeywall configuration and Interview mode. Here is a sample of my answer :

IP address of your Honeypots: 192.168.128.3

local Honeynet Network: 192.168.128.3/32

broadcast address of the honeynet: 192.168.128.3

management interface: yes

eth2

IP: 192.168.249.2

mask: 255.255.255.0

gateway: 192.168.249.1

dns: 212.27.54.252

activate this interface on boot

Configure SSH

the IP address that can access the management interface: 192.168.249.1/32 (this is the IP address of the vmnet2 interface)

Verify that you have access to the management interface from the Vmware Box. It is not possible to connect from the outside, you must first connect to your VMware box before getting access to the honeywall. If you want to modify the configuration, you can use the menu command. Do not forget to change default roo and root password !

All your honeywall configuration is in the /hw/conf/ directory. There is an ASCII configuration file /etc/honeywall.conf which contains all of these configuration values.

The honeywall management interface is linked to the VMware host-only interface ... so we can not access the Internet once connected to the honeywall. This is a big problem, because it means no mail alert ! To correct this, we have to activate routing packets and add an IPtables rule on the VMware box. We need to masquerade all honeywall management incoming packets to let them go outside. This must be done on the boot process, so add this to your firewall rules:

Verify it's working... DNS resolution with host, ping and time synchronization with ntpdate is a good start.

4.2 VMware guest OS #2 - Honeypot

Here you can install Gnu/Linux, Solaris, Windows or *BSD system, just make your choice... (sebek is not available for other platforms). This Howto continues with an Ubuntu system.

The VMware configuration is the same. The Network host configuration is simple: Ethernet 1 with Host-only network. After this, the Honeywall will be connected to the Honeypot. This network is independent and separated to the outside network: packets must pass thru the bridge.

Like the honeypot, mount the distribution iso, and proceed the installation.

4.2.1 Sebek client install

Sebek is a kernel based data capture tool. It is an open-source tool based on a client-server architecture. The Sebek client uses similar kernel-based rootkits techniques to gather and capture information. These data are then exported to the Sebek Server. For more information see http://www.honeynet.org/papers/sebek.pdf

Compiling sebek client on another machine is part of best practices, that is why compilation process generates a binary tar file. Doing this prevents to leave traces about Sebek's existence in the honeypot. This tar file contains the scripts configuration and kernel modules required to install Sebek. See links on "Security issue" part of this document to know more about this.

So, we are going to compile sekeb on our real host, and then we will install it on honeypot guest OS.

We have only one honeypot so we can disable raw socket replacement (--disable-raw-socket-replacement). See the BUILD file for more info. By disabling the raw socket replacement, sebek will no longer hide itself, it's seems to be a little bug. To force sebek module from hiding (if you do not do this, you will see an "sbk" module), edit the main source code file src/sebec.c. In the sebek_init(void) function, replace:

5. Remote Exploitation

Now we are going to see how to manage our VMware box remotely. All of this is made with a SSH connection from a remote host. For testing all of this, activate the forwarding packet on your ISP Box administration console or on your gateway: all Internet incoming packets have to be NAT to the VMware box (192.168.128.2). At the end, after testing our network, we will change the NAT to point to our honeypot (192.168.128.3).

5.1 Automated boot

First of all, VMware required a GUI to start. We need X server up and running automatically on boot. To do that, configure gdm to make an automatic login :

$ gdmsetup

This will show you a dialog box. In Security activate Enable Timed Login.

5.2 Enhanced VMware command line interface

VMware needs a GUI to start but we do not need to have access on it. We just need an SSH access. So, let's see how starting VMware without any X11 forwarding or VNC stuff !

Vmware provide vmrun command for managing virtual machines and snapshots. You can create, delete, list, and go to specific snapshots.

$ vmrun
vmrun version 5.5.1 build-19175
Usage: vmrun COMMAND [PARAMETERS]
COMMAND PARAMETERS DESCRIPTION
list List all running VMs
start Path to vmx or vmtm file Start a VM or Team
stop Path to vmx or vmtm file Stop a VM or Team
reset Path to vmx or vmtm file Reset a VM or Team
suspend Path to vmx or vmtm file Suspend a VM or Team
upgradevm Path to vmx file Upgrade VM file format, virtual hw
installtools Path to vmx file Install Tools in Guest OS
listSnapshots Path to vmx file List all snapshots in a VM
snapshot Path to vmx file Create a snapshot of a VM
Snapshot name
deleteSnapshot Path to vmx file Remove a snapshot from a VM
Snapshot name
revertToSnapshot Path to vmx file Set VM state to a snapshot
Snapshot name

DISPLAY=:0.0 allows you to use the existing X server on the VMware box. :0.0 is default for primary X server, it may be different.

If your virtual machines require input through a VMware Workstation dialog box, vmrun may time out and fail. To disable Workstation dialog boxes, insert the following line into the .vmx configuration file for your virtual machine: msg.autoAnswer = TRUE

Here is my control script for launching the Honeywall and the Honeypot snapshot :

5.3 Web Interface

The Web interface named Walleye helps you for your every day remote Honeywall administration. It also provides data analysis functionality. To use it, launch your favorite browser and go to https://ww.xx.yy.zz where ww.xx.yy.zz is the IP address of your honeywall management interface (192.168.249.2 for me). In our configuration we can only access it localy on the VMware box.

If you want to access it from your remote computer, we need to add few IPtables rules on the VMware box (add this to your firewall rules) :

5.4 Tests

The honeypot must not access to your private network (192.168.128.1 ...) !

Verify that you receive the honeywall email alert

...

5.5 Start having fun

Once you have tested your config, snapshot your VMware virtual hosts. Now you can start having fun :)

For my first test I decided to create a dumb login/password system account like admin/admin or mysql/mysql. These accounts can be accessed remotely via SSH. You can also run unsecured PHP site, like old PhpBB forum... All is possible !

When your honeypot is ready to have visitors, change your ISP Box or gateway configuration to NAT all Internet incoming packets to the honeypot (192.168.5.3). Configure also a special port redirect to have a remote access to the VMware box. The SSH daemon must listen on this special port. You can also configure a port knocking to be more furtive.

With this first testing environment, it takes only one hour to have an unauthorised access ... here is what was appended:

a remote script try to brute force my SSH account

it gains access to my honeypot with the two admin and mysql accounts

it changes the password to keep this access for himself

it looks some system informations (uptime, /proc/cpuinfo, ...)

All of this was made in few seconds. Then, a real person comes ... and install an IRC bot, connecting the honeypot to a Botnet.

Security issue

There are a lot of documents on SecurityFocus web site about security and best practices. Here are some links: